---
title: Introduction
course: intro_pentest
section: Scanning
layout: lesson
---

Once step 1 has been completed, you should have a solid understanding of our target and a detailed collection of gathered information. This data mainly includes our collection of IP addresses. Recall that one of the final steps in reconnaissance was to create a list of IP addresses that both belonged to the target and that we were authorized to attack. This list is the key to transitioning from step 1 to step 2. In step 1, we mapped our gathered information to attackable IP address. In step 2, we’ll map IP addresses to open ports and services.

It’s important to understand that it’s the job of most networks to allow at
least some communication to flow into and out of their borders. Networks that
exist in complete isolation with no Internet connection, no services like e-mail
or traffic are very rare today. Each service, connection or potential connection
to another network provides a potential foothold for an attacker. Scanning is
the process of identifying live systems and the services that exist on those
systems.Step 2 begins by breaking the scanning process into three different
phases:

1. Determining if a system is alive
2. Port scanning the system
3. Scanning the system for vulnerabilities

Later on this chapter, we'll discuss tools that combine these phases into a
single process; however, for the purpose of introducting and learning new
material, it's best for cover them separately.

Step 1 is the process of determining whether a target system is turned on and
capable of communicating or interacting with our machine. This step is the last
reliable and we should always continue with steps 2 and 3 regardless of the
outcome of this step and make nothe of any machines that respond as alive.

Step 2 is the process of identifying the specific ports and services running a
particular host.

Simply defined, ports provide a way or location for software and networks to
communicate with hardware like a computer. A port is a data connection that
allows a computer to exchange information with other computers, software or
devices. Prior to the interconnection of computers and networks, information was
passed between machines through the use of physical media like floppy drives.
Once computers were connected to a network, they needed an efficient means for
communicating with each other. Ports were the answer. The use of multiple ports
allows for simultaneous communication without the need to wait.

To further clarify this point for those of you who are unfamiliar with ports and
computers, it may be helpful to consider the following analogy: Think of your
computer as a house. There are many different ways that a person can enter the
house. Each of the different ways to enter your house (computer) is like a
computer port. Just like a port on a computer, all the entryways allow traffic
to flow into and out of your home.

Imagine a house with unique numbers over each of the potential entry points.
Most people will use the front door. However, the owners maty come in through
the garage door. Sometimes, people enter the house from a backdoor or sliding
glass door off the deck. An unconventional person may climb through a window or
attempt to sqeeze through the doggie door.

Regardless of how you get into your house, each of these examples corresponds
nicely with the analogy of computers and ports. Recall that ports are like
gateways to your computer. Some ports are more common and receive lots of
traffic (just like your front door); others are more obscure and rarely used (by
humans) like the doggie door.

Many common services run on standard port numbers and can give attackers an
indication as to the function of the target system. The following table provides
a list of common ports and their corresponding services:

<table class="table">
<thead>
<tr>
<th scope="col">Port number</th>
<th scope="col">Service</th>
</tr>
</thead>
<tbody>
<tr>
  <td>20</td>
  <td>FTP Data transfer</td>
</tr>
<tr>
  <td>21</td>
  <td>FTP Control</td>
</tr>
<tr>
  <td>22</td>
  <td>SSH</td>
</tr>
<tr>
  <td>23</td>
  <td>Telnet</td>
</tr>
<tr>
  <td>25</td>
  <td>SMTP (E-Mail)</td>
</tr>
<tr>
  <td>53</td>
  <td>DNS</td>
</tr>
<tr>
  <td>80</td>
  <td>HTTP</td>
</tr>
</tbody>
</table>

Obviously, there are many more ports and services. However, this list serves as
a basic introduction to common ports that are utilized by organizations
nowadays. You’ll see these services repeatedly as you begin to port scan your
targets.

We need to pay special attention to the discovery of any open ports on our
target systems. You should make detailed notes and save the output of any tool
run in the second step. Remember, every open port is a potential gateway into
the target system.

The final step in scanning, the third one, vulnerability scanning. Vulnerability
scanning is the process of locating and identifying known weaknesses in the
services and software running on a target machine. The discovery of known
vulnerabilities on a target system can be like finding pot of gold at the end of
a rainbow. Many systems today can be exploited with little or no skill when a
machine is discovered to have a known vulnerability.

It’s important to mention that there’s a difference in the severity of various
vulnerabilities. Some vulnerabilities may present little opportunities for an
attacker, whereas other will allow you to completely take over and control a
machine with a single click of a button. We’ll discuss the various levels of
vulnerabilities in more detail later in this chapter.
